Embedded Files
Target Specification
Target Specification
Scan Techniques
Scan Techniques
Nmap Vulnerability Scripts
Nmap Vulnerability Scripts
Nmap Scripting Engine (NSE) categories:
safe:- Won't affect the target
intrusive:- Not safe: likely to affect the target
vuln:- Scan for vulnerabilities
exploit:- Attempt to exploit a vulnerability
auth:- Attempt to bypass authentication for running services (e.g. Log into an FTP server anonymously)
brute:- Attempt to bruteforce credentials for running services
discovery:- Attempt to query running services for further information about the network (e.g. query an SNMP server).
A more exhaustive list can be found here.
To run a specific script, we would use --script=<script-name> , e.g. --script=http-fileupload-exploiter.
Multiple scripts can be run simultaneously in this fashion by separating them by a comma. For example: --script=smb-enum-users,smb-enum-shares
A full list of scripts and their corresponding arguments (along with example use cases) can be found here.
Nmap stores its scripts on Linux at /usr/share/nmap/scripts. All of the NSE scripts are stored in this directory by default.
It's also possible to install the scripts manually by downloading the script from Nmap (sudo wget -O /usr/share/nmap/scripts/<script-name>.nse <https://svn.nmap.org/nmap/scripts/><script-name>.nse). This must then be followed up with nmap --script-updatedb, which updates the script.db file to contain the newly downloaded script.
Use locate *.nse | grep <protocol_name> to search for the applicable scripts
To execute nmap with scripts use the following flags:
-sC flag loads the default scripts: nmap -sC <target> or nmap --script=default <target> or nmap --script default <target>
--script flag to load specific scripts found above: nmap --sript http-headers <target>
--script-help will provide a brief description of the script: nmap --sript-help http-headers <target>
Timing and Performance
Timing and Performance
Optimizing Nmap Scans
Optimizing Nmap Scans
Omit Non-Critical Tests:
Skip port scan -sn when only determining what hosts are alive; larger IP address range.
Limit the number of ports; rate limiting and firewalls drop probe packets without responding. Use -F (most popular 100 ports) -p or --top-ports
Skip advanced scans; use -sC and -sV on large networks.
Turn off DNS resolution when not needed; use the -n flag.
Optimize Timing Parameters:
Use the T4 and -min-rate 1000 switches if detection is not an issue.
Nmap Manual: Timing and Performance
Nmap Manual: Timing Templates (-T)
Nmap Manual: Low-Level Timing Controls
Separate and Optimize TCP and UDP Scans
Execute Concurrent Nmap Instances: overall speed can be improved by dividing the scan into several large groups and executing those concurrently; max five to ten nmap processes.
OS & Service Detection
OS & Service Detection
Host Discovery
Host Discovery
Scan Output
Scan Output
Firewall/IDS Evasion and Spoofing
Firewall/IDS Evasion and Spoofing
Use the Pn switch to disable host discovery (ICMP/ping) and treat the target as being alive, effectively bypassing the ICMP block.
If on the same LAN, nmap can also use ARP requests to determine target status, thus use the
A comprehensive list of nmap switches to assist with firewall evastion can be found here.
f:- Used to fragment the packets (i.e. split them into smaller pieces) making it less likely that the packets will be detected by a firewall or IDS.
An alternative to f, but providing more control over the size of the packets: -mtu <number>, accepts a maximum transmission unit size to use for the packets sent. This must be a multiple of 8.
scan-delay <time>ms:- used to add a delay between packets sent. This is very useful if the network is unstable, but also for evading any time-based firewall/IDS triggers which may be in place.
badsum:- this is used to generate in invalid checksum for packets. Any real TCP/IP stack would drop this packet, however, firewalls may potentially respond automatically, without bothering to check the checksum of the packet. As such, this switch can be used to determine the presence of a firewall/IDS.
Firewalls are usually configured to drop incoming TCP packets (with the SYN flag set) to blocked/filtered ports, thus blocking new connection initiation requests. By sending request packets without the SYN flag, bypassing this kind of firewall is possible. However, modern IDS solutions can detect these scan types, so do not rely on this scan technique.
Consider using the sF, sX, and sN switches for firewall detection and evasion. These packets do not include a set SYN flag.
Useful Nmap Commands
Useful Nmap Commands
Google Sites
Report abuse